Active Directory GPO for Password Policy Not Applying from Default Domain Policy

windows-server-2008 active-directory group-policy password
11,454

The password policy should be applied to the OU of the servers where the account database is. If you are trying to control the password on the active directory this means your policy should be applied to Domain Controllers OU. If you have inheritance blocked on your Domain Controllers OU, then modifying the Default Domain policy which is linked at the root by default will not do what you want.

By setting the policy at the default domain level you are probably controlling the password policy of your workstation. By this I mean the local accounts on your workstations would have now have the password requirements. Try creating a local account and setting a password.

This is partly relates to the same reason why you cannot have more then one password policy in a pre Windows 2008 domain. The policy must be applied to all the Domain Controllers, so there is no way to distinguish between different users/computers.

Even with the fine-grained policies in 2008 you cannot simply use a group policy, you have to setup special attributes in LDAP to have different objects target different password policies.

Share:
11,454
tacos_tacos_tacos
Author by

tacos_tacos_tacos

Updated on September 18, 2022

Comments

  • tacos_tacos_tacos
    tacos_tacos_tacos almost 2 years

    Ok. I have implemented a Password Policy. I know from previous posts that it cannot be applied from within an OU so I have configured it from the Default Domain Policy. I run RSOP.msc from a client machine and the policy settings are displayed with the Source GPO "Default Domain Policy." So it appears that it is working, but it's not. For example, I have a complexity requirement, but it accepts the password "a." It also allows me to change my password within Windows Security while the setting is "Minimum password age" of 89 days. Clearly the policy is not actually being applied!

    What to do?

    RSOP results for XXXX\XXXX on XXXXX-XXXXX: Logging Mode
----------------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 XXXXXX
Domain Type:                 Windows 2000
Site Name:                   XXXXXX
Roaming Profile:
Local Profile:               C:\Documents and Settings\XXXXX
Connected over a slow link?: No


COMPUTER SETTINGS
------------------

    CN=XXXXXXXXX,OU=UserComputers,DC=corp,DC=XXXXX,DC=com
    Last time Group Policy was applied: 10/14/2011 at 3:58:40 PM
    Group Policy was applied from:      tfs.corp.emergingmed.com
    Group Policy slow link threshold:   0 kbps

    Applied Group Policy Objects
    -----------------------------
        Published Software
        Copy of Base
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        SQLServerMSSQLServerADHelperUser$XXXXX
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        XXXXXXX$
        Domain Computers
        People


USER SETTINGS
--------------
    CN=XXXXXX,OU=Employees,DC=corp,DC=XXXX,DC=com
    Last time Group Policy was applied: 10/14/2011 at 3:58:40 PM
    Group Policy was applied from:      tfs.corp.XXXXX.com
    Group Policy slow link threshold:   0 kbps

    Applied Group Policy Objects
    -----------------------------
        Published Software
        Startup Scripts
        Copy of Base
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        Remote Desktop Users
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
    • Ben Pilbrow
      Ben Pilbrow over 12 years
      Just to rule out weirdness, have you done a gpupdate on an affected machine?
    • tacos_tacos_tacos
      tacos_tacos_tacos over 12 years
      I restarted the machine several times since it was computer policy and my understanding is that computer policy changes require a restart - and upon restart it should do a gprefresh. I just did one anyway though and I posted the gpresult above.
    • tacos_tacos_tacos
      tacos_tacos_tacos over 12 years
      Do you think it matters that my PC is in an OU (UserComputers)?
  • tacos_tacos_tacos
    tacos_tacos_tacos over 12 years
    You sir are excellent

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Users on windows 2008 R2 server cannot change own password
Disable password complexity rule in Active Directory
Remove delete permission for active directory group in Microsoft 2008 Server R2
Limit folder size on Windows Server 2008
Group Policy Objects stopped applying to most security groups
Apply Registry or ADM to Group Policy for Login to Specific Servers
Password Policy seems to be ignored for new Domain on Windows Server 2008 R2
processing of Group Policy failed only on 2008 Servers and Name Resolution failure on the current domain controller
How to Apply Computer Configuration Group Policy to a Remote Desk server based on user security group
GPO Printer Deployment Ordering greyed out